The Way Business Is Moving published by
Issue Date: April 2006

An integrated risk management approach

April 2006
Andrew Seldon

Security concerns have been on the radar screen for years and are not going to vanish anytime soon. Fortunately, while the threats are changing with the times and becoming more insidious, so the defences are adapting to the new threats.

As technology expands its role and importance in business, effectively handling the threats of security holes and intrusions has become a critical part of IT's job. More than a separate task that has to be completed on top of everything else, controlling the security of systems and databases has become integrated into the standard fare for IT staff.
From the time a user logs into a system, whether remotely or while on company premises, everything he/she does must be controlled. What servers and applications the user can access, what data may be viewed and changed, and even whether e-mail attachments may be opened must be under control of the organisation's security policy.
While it may be more secure, companies cannot expect users to remember unique passwords to each and every application they need - since remembering one is already too much, leading to Post-It notes on screens with passwords written on them. What may be more efficient is to have one secure authentication mechanism that automatically logs people on to various systems automatically - if they have permission, of course. And if you can authenticate yourself in a certain way via your office PC, you should be able to do the same from anywhere.
And as the technology and physical security worlds converge, we will see greater demand from companies for more sophisticated identity and authentication management solutions that are easier to use and manage. Already, various companies, large and small are offering solutions.
CA, for example, has released its integrated identity and access management solution, a result of the integration of the company's SiteMinder and Single Sign-On products. The company says the integration provides seamless single sign-on across the extended enterprise - including web, client/server, mainframe and federated environments. Single sign-on grants users access to applications or systems without requiring them to juggle multiple usernames and passwords or re-enter their credential information each time they access an application.
"Enterprise customers require secure single sign-on (SSO) solutions that span all business applications regardless of the hosting platform," said Phil Schacter, vice president and group service director, Burton Group. "CA has made great progress towards providing the benefits of an integrated SSO solution that is part of a comprehensive and auditable approach to identity and access management. SSO solutions enable stronger password policies and the flexibility to deploy multifactor authentication systems in a phased approach with minimal impact on existing applications."
CA SiteMinder provides a centralised security infrastructure for managing user authentication and access across internal and external websites. CA Single Sign-On provides simplified and secure end-user access to legacy applications, databases, and client/server applications. Integration between the products enables customers to:
* Simplify everyday computing tasks through seamless authentication between resources protected by either solution.

* Deploy a combination of authentication schemes, with more sensitive applications requiring re-authentication with stronger authentication as appropriate.
McAfee, better known for its antivirus solutions is also in on the game, having recently announced its network access control (NAC) strategy. McAfee NAC, powered by McAfee Policy Enforcer, gives medium to large businesses anywhere, anytime access to corporate networks for their employees, guests and contractors, while protecting valuable assets from the risk of endpoint malware and misconfiguration.
"To maintain the availability and integrity of the IT infrastructure in the face of a rapidly changing threat environment, businesses should implement a NAC process and architecture," said Lawrence Orans, Gartner research analyst. "This helps evaluate the security of a system or user as it connects to the network; monitors the security of systems that are already connected; and implements network access and system remediation policies based on the system, the threat environment and the user's identity."
Oracle is a company that should know the data centre's needs in terms of security. The company's Francois Marais says Oracle has created a virtual directory that handles single sign-on tasks as well as provisioning of employees rights on the corporate systems. The solution sits above the current infrastructure and handles authentication tasks to ensure users have access to what they need - no matter where the application originates as the system's based on web services standards - and prevents any access where it is forbidden.
An issue for everyone
Security is a topic everyone is concerned with - and a potentially lucrative business if you can get it right. StorTech has launched its own security division with the goal of assisting customers in effectively securing their information - a good idea since the company is better known for helping companies store and manage their information. To this end, head of the new division, Rob Watson, says identity management is key.
Watson says there are five key elements of successful identity management: who, what, where, when and how. He adds that the traditional way of handling these elements is via a password - and that is not optimal any more. Two-factor authentication is the way to go, but Watson notes that the popular use of smartcards or fingerprint recognition may also not be the optimal method.
There is always the question of how accurate fingerprint scans are; and what if a user loses a smartcard? Tokens have been adopted by many companies, but the costs can be prohibitive. Watson suggests we may in future look at a more convenient solution to replace tokens, such as mobile phones - everyone has one and it would be much easier and cheaper to install software on the phone to act as the second component in the authentication process, or simply to use text services.
The next step
Of course authentication is only the start. Looking at two of the leading notebook providers in South Africa, we can see how security has also changed what is important in mobile computers - it is more than processor speed.
HP, for example, uses its security technology to secure notebooks from the hardware and firmware up to the data stored on the drive - dependent on the user identifying himself appropriately. Certain machines can also have biometric readers built in.
He also says that the main board and the hard drive can be linked so that no one without the proper authorisation can remove a hard drive and try to read it in another machine. HP can also provide a hard disk sanitiser that will delete all the data from a drive if it is removed from its notebook.
Dell's Gavin Slevin agrees, noting that one size does not fit all in the security game. The company therefore offers a host of security features, from simple ideas like a reinforced cable lock to a facility through which stolen notebooks can be traced if they are hooked up to the Internet. Dell also offers preboot authentication services for those with serious security concerns about the data on their systems.
As well as supporting various backup considerations in its mobile devices, Dell also offers customers the option of having their desktop security suites installed during manufacturing. As a global OEM of companies such as Symantec and McAfee, the company is able to offer good pricing on these very necessary software additions.
The sieve from Seattle
And what look at security would be complete without a mention of Microsoft. When it comes to security, Microsoft comes last, always. Whether this view of the security of Microsoft's products is an accurate one or one brought about by circumstances and hype is irrelevant. Today, one simply assumes Windows is a security sieve and purchases additional software to deal with the problems.
Fortunately, Microsoft is planning to address many of these issues in the next version of Windows, named Vista. In addition, Colin Erasmus, security manager at Microsoft South Africa says we will soon see the company offering a desktop management tool in the form of Windows OneCare, which will deliver, among other functionality, antivirus and antispam protection to users.
Colin Erasmus
Colin Erasmus
In addition, Microsoft's server products will also be fitted with improved security products to make them safer out of the box; and the new version of IE will be more secure with, among other improvements, opt-in ActiveX controls.
Integrated security
The issue all security gurus agree on, however, is that point solutions do not cut it any more. Alkesh Patel, Security and Privacy Consultant for IBM SA says there are various levels involved in protecting an organisations IT systems, but they should all work together to complement each other to strengthen the end-to-end security of the system.
IBM views security preparations as part of a company's business resilience planning - proactively managing risk by being adaptive to the environment. As part of this approach, IBM has launched a resilience centre in Cresta, Randburg that can host up to 700 people. Patel notes that it is not only major incidents such as earthquakes that occur infrequently (if ever) that require resilience planning, but also more common problems such as virus outbreaks and specific overflow needs.
Security is not merely a case of assigning a username and password anymore. Today, threats come from inside and outside a company, from known and unknown sources, necessitating a proactive approach to security. Products are still important, but only to back up a security policy and properly trained employees who know how to protect themselves and their data from obvious attacks. And as has been hyped to death, you can never be 100% secure, but you can do enough to protect yourself and the data and systems considered important. Failing to take precautions is irresponsible and will soon mean companies and executives will be in conflict with compliance regulations.
CA designated a market leader
Forrester Research has named CA a market leader in its recent report, The Forrester Wave: User Account Provisioning, Q1 2006, saying that CA "has a rich and unique portfolio of integrated identity management solutions and a strong commitment to the market that aligns well with its overall corporate strategy."
According to the report, "CA has one of the broadest and most integrated set of identity management solutions on the market today. Few vendors have enterprise single sign-on, host access control, and web services security, and CA stands alone with all three. CA is deeply committed to identity management, both as the lead area in security and as a core element of its overall enterprise IT management (EITM) strategy."
The Forrester report concluded: "CA delivers strong auditing and administration atop a robust architecture. CA is best suited for companies seeking a robust, fully functional product."

Others who read this also read these articles

Search Site


Previous Issues